Snort mailing list archives
Re: Can I stop these port 53 detects?
From: Phil Wood <cpw () lanl gov>
Date: Thu, 21 Jun 2001 15:50:44 -0600
You need some pass rules for 53 -> 53. And you need to fix the <1024 rule. It probably has a :1024 in it. That catches legitimate dns of the form 1024 -> 53. Change it to :1023. On Thu, Jun 21, 2001 at 08:06:09PM +0000, info.sec () att net wrote:
Greetings, I hope this isn't in a FAQ somewhere - I couldn't find it. I'm running Snort 1.7 on an OpenBSD 2.8 system. I have a line in my snort.conf file like this: # Define the addresses of DNS servers and other hosts var DNS_SERVERS [aa.bb.cc.dd/32,ee.ff.gg.hh/32] But my alert log still fills up with these: [**] MISC source port 53 to <1024 [**] 06/21-12:55:52.409466 ee.ff.gg.hh:53 -> 1.2.3.4:685 UDP TTL:246 TOS:0x0 ID:35418 IpLen:20 DgmLen:205 DF Len: 185 Where 1.2.3.4 is the outside interface of my firewall. Is there anything I can do to stop Snort from keying on these port 53 packets from one of our DNS servers? TIA! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can I stop these port 53 detects? info . sec (Jun 21)
- Re: Can I stop these port 53 detects? Phil Wood (Jun 21)
- <Possible follow-ups>
- Re: Can I stop these port 53 detects? Phil Wood (Jun 21)
- RE: Can I stop these port 53 detects? Erik Norman (Jun 27)
- RE: Can I stop these port 53 detects? Andy Dougherty (Jun 27)
- Re: Can I stop these port 53 detects? François Désarménien (Jun 27)
- RE: Can I stop these port 53 detects? Erik Norman (Jun 27)